Viktor Dukhovni wrote the following on 05/02/14 20:44:
On Wed, Feb 05, 2014 at 08:28:51PM +0000, Alan Munday wrote:
Viktor Dukhovni wrote the following on 05/02/14 18:45:
Now for the record your leaf certificate is also a CA, which is
harmless I imagine, but keep that in mind if you run into problems
with some other nitpicky implementation.
You're probably better off with just a self-signed cert with CA:FALSE
and no issuer CA. (Basically your original issuer CA was a perfectly
good leaf server certificate).
As per my last post, I went back to the Postfix TLS docs and started
again. First point was that my TLS configuration was all based on the
Lutz Jänicke TLS patch so I removed all configuration relating to this
and replaced it with only the directives listed in the TLS HowTo.
My certificate creation process also followed the old way of doing
things. I've updated this to also follow the HowTo. In doing so I needed
to edit two values in the openssl.cnf namely:
[ CA_default ]
unique_subject = no
[ usr_cert ]
basicConstraints=CA:TRUE
I did try CA:FALSE but this was causing outlook.com mail to fail (and,
as Viktor stated, mail from other domains as well).
In doing this clean-up I also found that the openssl.cnf config files
were different between mx1 and mx3. mx1 was the newer (the most recently
rebuilt machine) and that some of the defaults had changed. I think this
explains some of the differences in behaviour between the machines.
Though it takes a while to diagnose things because my mail volumes are low.
I'm seeing a variation in behaviour for those connection that fail to
establish a TLS connection. Most keep retrying, a few fall-back and
connect without TLS. I've not seen any fall-back and try the secondary
(which is mx1 in this case).
And of course mx3 is still broken, STARTTLS hangs, because it is
unable to transmit the server SSL HELLO + certificate, likely due
to path MTU or other network layer issues.
I am still seeing mx1 establish 100% of TLS connections and mx3 50%
(with a significant number of those being retries) so I have looked at
the comms. Both boxes are behind firewalls (same make, different models,
older OS on the mx3 firewall). They both only allow TCP/25 in, and mx3
has no restrictions on outbound traffic (mx1 is restricted to key
services). MTU on the firewall interfaces are all set to the same value
(1500) and the comms (DSL based) both go to the same ISP. So I could do
with some pointers of where to go next with this.
Just from a technical perspective I'd to understand and resolve what’s
going on. Though I can see it might just be easier to turn TLS off.
Alan
